From: ebiederm@xmission.com (Eric W. Biederman)
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Cong Wang <xiyou.wangcong@gmail.com>,
Florian Westphal <fw@strlen.de>,
netfilter-devel@vger.kernel.org,
Linux Kernel Network Developers <netdev@vger.kernel.org>
Subject: Re: [PATCH nf-next] netns: add and use net_ns_barrier
Date: Wed, 14 Jun 2017 09:20:25 -0500 [thread overview]
Message-ID: <87wp8eabx2.fsf@xmission.com> (raw)
In-Reply-To: <20170614084147.GC31030@salvia> (Pablo Neira Ayuso's message of "Wed, 14 Jun 2017 10:41:47 +0200")
Pablo Neira Ayuso <pablo@netfilter.org> writes:
> Hi!
>
> On Tue, Jun 13, 2017 at 09:35:20AM -0700, Cong Wang wrote:
>> On Mon, Jun 12, 2017 at 11:16 PM, Florian Westphal <fw@strlen.de> wrote:
>> > Cong Wang <xiyou.wangcong@gmail.com> wrote:
>> >> On Thu, Jun 1, 2017 at 1:52 AM, Florian Westphal <fw@strlen.de> wrote:
>> >> > Joe described it nicely, problem is that after unload we may have
>> >> > conntracks that still have a nf_conn_help extension attached that
>> >> > has a pointer to a structure that resided in the (unloaded) module.
>> >>
>> >> Why not hold a refcnt for its module?
>> >
>> > That would work as well.
>> >
>> > I'm not sure its nice to disallow rmmod of helper modules if they are
>> > used by a connection however.
>>
>> I am _not_ suggesting to disallow rmmod.
>>
>> >
>> > Right now you can "rmmod nf_conntrack_foo" at any time and this should
>> > work just fine without first having to flush affected conntracks
>> > manually.
>>
>> My point is that since netns wq could invoke code of that module,
>> why it doesn't hold a refcnt of that module?
>>
>> I am not familiar with netfilter code base so not sure if that is
>> hard to do or not, but it looks more elegant than this barrier.
>
> Florian has added a new native interface to integrate helpers into
> nftables in a much better way than we do now, that allows much more
> fine grain configuration. This new interface bumps refcounts on
> helpers as you suggest.
>
> However, we still have to sort of keep the existing behaviour around,
> people has been relying on this rmmod feature to globally disable
> helpers. It's very old thing indeed and as you can see, very sparse
> grain for the netns era... But still I think we need this.
>
> So I'm inclined to take this, and keep an eye to deprecate this
> behaviour in a several years ahead once. Probably we can get rid of
> this barrier at some point.
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
If it works I don't have any problems with the code and it sounds like
it works.
My apologies for the delay. There is an email black hole between Forian
and myself and I missed his replies. Which gave me a very distored
picture of the conversation.
Eric
next prev parent reply other threads:[~2017-06-14 14:27 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-30 9:38 [PATCH nf-next] netns: add and use net_ns_barrier Florian Westphal
2017-05-31 16:55 ` David Miller
2017-05-31 17:46 ` Eric W. Biederman
2017-05-31 18:13 ` Eric W. Biederman
2017-05-31 20:21 ` Joe Stringer
2017-06-01 8:52 ` Florian Westphal
2017-06-12 21:47 ` Cong Wang
2017-06-13 6:16 ` Florian Westphal
2017-06-13 16:35 ` Cong Wang
2017-06-13 18:07 ` Florian Westphal
2017-06-13 19:27 ` Joe Stringer
2017-06-13 21:16 ` Cong Wang
2017-06-14 8:41 ` Pablo Neira Ayuso
2017-06-14 14:20 ` Eric W. Biederman [this message]
2017-06-12 8:47 ` Pablo Neira Ayuso
2017-06-02 9:38 ` David Laight
2017-06-02 9:53 ` Florian Westphal
2017-06-19 17:10 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wp8eabx2.fsf@xmission.com \
--to=ebiederm@xmission.com \
--cc=fw@strlen.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.